5.8
Table Of Contents
- VMware vRealize Configuration ManagerInstallation Guide
- Contents
- About This Book
- Preparing to Install VCM
- Common Prerequisites for All VCM Servers
- VCM Installation
- Post-Installation
- Hardware and Operating System Requirements for VCM Managed Machines
- VCM Agent Support on Non-English Windows Platforms
- VCM Managed Machine Requirements
- Linux, UNIX, and Mac OS Agent Files
- Windows Custom Information Supports PowerShell 2.0
- Linux and UNIX Patch Assessment and Deployment Requirements
- Support for VMware Cloud Infrastructure
- vRealize Operations Manager Integration Features
- FIPS Requirements
- Agent Sizing Information
- Index
If you change the account or its password, reconfigure anonymous access for the VCMRemote virtual
directory by using IIS Manager.
VCM Tomcat Service Account
The Tomcat service account serves as the VCM application programming interface for SQL login to the
VCM database server.
vSphere Client VCM Plug-in Service Account
The vSphere Client VCM Plug-in (VCVP) account provides vSphere access over HTTP to VCM managed
machines.
The VCM Advanced Installation option prompts for credentials for the VCVP account. Typical Installation
does not.
CSI_COMM_PROXY_USR Account
VCM creates a local account called CSI_COMM_PROXY_USR, under which the CM Communication Proxy
service runs. The CM Communication Proxy service is used for collection from ESX systems. Note that
ESX collections are for logs and kernel data only, and only on ESX, not ESXi.
If the account password changes, update the service so that it can continue to log in. If you replace the
account, configure the new account for login as a service, give it the same permissions, and add it to the
CSI_COMM_PROXY_SVC group. Also update the CM Communication Proxy service to use the new
account.
The CSI_COMM_PROXY_SVC group grants the rights needed for the service to access the data and
binaries that it needs.
IIS Application Pool Identity Account
CMAppPool and CMServices are IIS application pools used for VCM virtual directories and Web services.
They run under the built-in IIS ApplicationPoolIdentity account. No special configuration or password
management is needed for this built-in account.
Network Authority Account
The Network Authority account is for data collection from DCOMWindows machines, data collection
from Active Directory, and for Active Directory and NT domain discovery. VCM supports multiple
Network Authority accounts but must have at least a default Network Authority account configured.
Configure Network Authority accounts in VCM under the Administration slider.
If the account password changes, you must also update the password in VCM.
Network Authority accounts require local administrator permission on any Windows machine that they
access, and SQL Server sysadmin rights if collecting SQL Server data. When policies permit, and for
convenience, make the Network Authority account a separate, domain administrator account with
permissions on Windows machines throughout a large enterprise.
About Network Authority Account Permissions
The VCM Agent requires a variety of permissions on the endpoint system. The DCOM Agent needs to
launch and activate DCOM, and all Agents need access to Windows Management Instrumentation (WMI),
private registry values, and the Service Control Manager (SCM).
Non-administrative user accounts do not have access to these resources by default, so VMware
recommends an account with local administrative rights in the case of DCOM, or the default of the
LocalSystem account as represented by the CM Agent Delegate in the case of HTTP.
Preparing to Install VCM
VMware, Inc.
11